d71e3549a3aaeacbdc919630dbd1d5f67777d3fd7ec10eaae36099f1bdeef50e

General

Target

Proforma Invoice PDF.exe
Size

82KB
MD5

e77c819969d8520d9bbd027dd1bfaa04
SHA1

27d6482b5777767e98838d5dd2e9d431e2f3ae97
SHA256

6fa5cdc1c01f21f752a968277cb495f3bf83b9171456b83483be4d5d4cea543d
SHA512

de26847a6cc7244ecf566ab2e3126ab27f14b86a8404f30871fc0606fcac8e2dec21c2552c777e7faa945136343e0999c5017e015d72ab79990c5373d40f5748

Score

10^/10

suricata

Malware Config

Signatures

suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata: ET MALWARE Single char EXE direct download likely trojan (multiple families)
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
Downloads MZ/PE file

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Proforma Invoice PDF.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Proforma Invoice PDF.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Proforma Invoice PDF.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

Proforma Invoice PDF.exe

pid process

1688 Proforma Invoice PDF.exe
1688 Proforma Invoice PDF.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

Proforma Invoice PDF.exe

description pid process

Token: SeDebugPrivilege 1688 Proforma Invoice PDF.exe

pid	process
1688	Proforma Invoice PDF.exe
1688	Proforma Invoice PDF.exe

description	pid	process
Token: SeDebugPrivilege	1688	Proforma Invoice PDF.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

Proforma Invoice PDF.exe

description	pid	process	target process
PID 1688 wrote to memory of 472	1688	Proforma Invoice PDF.exe	aspnet_compiler.exe
PID 1688 wrote to memory of 472	1688	Proforma Invoice PDF.exe	aspnet_compiler.exe
PID 1688 wrote to memory of 472	1688	Proforma Invoice PDF.exe	aspnet_compiler.exe
PID 1688 wrote to memory of 472	1688	Proforma Invoice PDF.exe	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\Proforma Invoice PDF.exe
"C:\Users\Admin\AppData\Local\Temp\Proforma Invoice PDF.exe"
1⤵
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1688

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:472

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-54-0x00000000013D0000-0x00000000013D1000-memory.dmp

Filesize
4KB

Download
memory/1688-56-0x000000001AB90000-0x000000001AB92000-memory.dmp

Filesize
8KB

Download
memory/1688-57-0x0000000000250000-0x0000000000252000-memory.dmp

Filesize
8KB

Download
memory/1688-58-0x00000000004C0000-0x00000000004D1000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing